0b248187a0fda22086ff20301424dc97b8bcebf8308f59a0ea30383fd85a3cf2

General

Target

c85b10abe69d46e64027f311ca445b79_JaffaCakes118.exe
Size

20KB
MD5

c85b10abe69d46e64027f311ca445b79
SHA1

396f7bddf93d1d43f9061cf34b8aaf793a40f8ec
SHA256

0b248187a0fda22086ff20301424dc97b8bcebf8308f59a0ea30383fd85a3cf2
SHA512

63e71a60a9365536e711751139e84b235b05bd6680ec494a1c53bed67e0a75d0bbc7e1d17fe5712b5dc3259dd11777439d219c3e65a1930c1e89b2d71dcdb7bf
SSDEEP

384:hdtXWiJCQxsEwvK3RpSSHuGQG2Rqm4YhYQMx+L4b:hDXWipuE+K3/SSHgxmHZb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2588	DEM3F51.exe
2956	DEM96D3.exe
2772	DEMED7A.exe
1976	DEM4347.exe
1404	DEM99DF.exe
2944	DEMF048.exe

Loads dropped DLL 6 IoCs

pid	Process
2512	c85b10abe69d46e64027f311ca445b79_JaffaCakes118.exe
2588	DEM3F51.exe
2956	DEM96D3.exe
2772	DEMED7A.exe
1976	DEM4347.exe
1404	DEM99DF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2588	2512	c85b10abe69d46e64027f311ca445b79_JaffaCakes118.exe	29
PID 2512 wrote to memory of 2588	2512	c85b10abe69d46e64027f311ca445b79_JaffaCakes118.exe	29
PID 2512 wrote to memory of 2588	2512	c85b10abe69d46e64027f311ca445b79_JaffaCakes118.exe	29
PID 2512 wrote to memory of 2588	2512	c85b10abe69d46e64027f311ca445b79_JaffaCakes118.exe	29
PID 2588 wrote to memory of 2956	2588	DEM3F51.exe	33
PID 2588 wrote to memory of 2956	2588	DEM3F51.exe	33
PID 2588 wrote to memory of 2956	2588	DEM3F51.exe	33
PID 2588 wrote to memory of 2956	2588	DEM3F51.exe	33
PID 2956 wrote to memory of 2772	2956	DEM96D3.exe	35
PID 2956 wrote to memory of 2772	2956	DEM96D3.exe	35
PID 2956 wrote to memory of 2772	2956	DEM96D3.exe	35
PID 2956 wrote to memory of 2772	2956	DEM96D3.exe	35
PID 2772 wrote to memory of 1976	2772	DEMED7A.exe	37
PID 2772 wrote to memory of 1976	2772	DEMED7A.exe	37
PID 2772 wrote to memory of 1976	2772	DEMED7A.exe	37
PID 2772 wrote to memory of 1976	2772	DEMED7A.exe	37
PID 1976 wrote to memory of 1404	1976	DEM4347.exe	39
PID 1976 wrote to memory of 1404	1976	DEM4347.exe	39
PID 1976 wrote to memory of 1404	1976	DEM4347.exe	39
PID 1976 wrote to memory of 1404	1976	DEM4347.exe	39
PID 1404 wrote to memory of 2944	1404	DEM99DF.exe	41
PID 1404 wrote to memory of 2944	1404	DEM99DF.exe	41
PID 1404 wrote to memory of 2944	1404	DEM99DF.exe	41
PID 1404 wrote to memory of 2944	1404	DEM99DF.exe	41

C:\Users\Admin\AppData\Local\Temp\c85b10abe69d46e64027f311ca445b79_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c85b10abe69d46e64027f311ca445b79_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\DEM3F51.exe
  "C:\Users\Admin\AppData\Local\Temp\DEM3F51.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\DEM96D3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEM96D3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\DEMED7A.exe
      "C:\Users\Admin\AppData\Local\Temp\DEMED7A.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\DEM4347.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM4347.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\DEM99DF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEM99DF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\DEMF048.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DEMF048.exe"
        7⤵
        Executes dropped EXE
        
        PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DEM96D3.exe

Filesize
20KB

MD5
f9c358fe4f8f5aec202e2809ff5cfd91

SHA1
1262b2257b239d50a7e9fe203232a598b015d079

SHA256
ecce31e90fb3109f9d31b582c9c9082298f4e840122b898792cd5ee44545f766

SHA512
79065db651644c155f8ee430f13b59e5bb8801dc93ceb85b4c8461089198322bb51daac78be6e5bedc2d81fdce6cd6475c06ca89b73c096c20cdf9c37de92573

Download Submit
\Users\Admin\AppData\Local\Temp\DEM3F51.exe

Filesize
20KB

MD5
d95c1d1a7ba2042a9da16d0a885be891

SHA1
d555a310aa8a800369c9dd34825a58293aadec0d

SHA256
e26e3e1025c5e374f0fcddf65a236071b275614e2cd7c116b1c82bf0ef64973e

SHA512
59ff0443fdd47da05518b2ab5863ebc8ab01c834e1456d0aba6ab8fcf1ea47b52848674bbca33c47269e4bd55e7436bc152ff279479cad5e4a96af571bcafacb

Download Submit
\Users\Admin\AppData\Local\Temp\DEM4347.exe

Filesize
20KB

MD5
1872c3c7943312e6991beed49f57c58e

SHA1
2a3542990f3533a933800a8eed65531d3ba47aac

SHA256
d23011017f34de837b9a9ab1884d6f97c3d937eb2806869e47653c35fbb9d4cc

SHA512
5c95b4a03afb4f98e9398ee3059a1790e77f7da3cb95f3594184afcf3834400fbfbb3ceb176ea4ff39a781c44933649945d1aaae4d488e1c5502739fd721a4ee

Download Submit
\Users\Admin\AppData\Local\Temp\DEM99DF.exe

Filesize
20KB

MD5
4a4e52614d00b373af00a4b51d7dda83

SHA1
19010b57ef0a0f25394e2edb090cadee59618375

SHA256
1a6e59382f5f8cab6a00ac193d6e5082a4514f36ac469005c127b79c63e8d578

SHA512
61d6d648b56f656b625409b7fc3f364fbd3e46197bc24400976a5d8d3aa1152749772705a147315599eee6bf6f69bf2724cd75af4fe2fc5bddb3740218aeca01

Download Submit
\Users\Admin\AppData\Local\Temp\DEMED7A.exe

Filesize
20KB

MD5
c11b3da37428270fa2708c22cfcc490e

SHA1
0798a274f4fd1be8e21e99cefb2c053c1ec64e48

SHA256
f4edf8079f4f8e6cabdfa52353a3d2a485d249563b99d25f60f401104337a3fc

SHA512
72a17095e6219a44136d41b82a443f40cddb8594c585a70639d462888792ca7c97f7fa342aacdc69689b396b77d72cd6297d3b13a7b25a83e80739a5a5077ff8

Download Submit
\Users\Admin\AppData\Local\Temp\DEMF048.exe

Filesize
20KB

MD5
effd99bee5509f3028bc2bd6613b4ec1

SHA1
4e70f8500ced8aafe9bed67b8b52bcd799094139

SHA256
1c5922d74d6ee609f8e21f2d55e55f3e15c455655c1718ce2426ae631c78604c

SHA512
9f9a5b8d4d7f659ae0e257fcd95fa9e59222f17cbae39ce9acd41117abc8cbe995bededc554e15c88e74c4619ed14c949624f72fb9308b0c308bf6943c91d5af

Download Submit

Analysis

Sharing